Hi,I want to send my hard disk overseas in mail ( Courier ) which has important data.The HDD has 5 Partitions, 4 of which are data partitions.How do I protect my data in case if the HDD ends up in wrong hands ?The only way I thought of was BitLocker or TrueCrypt but do I need to encrypt the system partition OR do I need a system partition at all, because the HDD would be used on a different machine & Windows won’t boot on that machine anyway. So why not just format or delete the system partition after I have encrypted the data partitions ? Would that be good solution ?Also can I encrypt few folders in one partitions with ” Folder Lock software “ with a different password so I have more protection ?The reason being a software called “ Forensic Disk Decrypter “ by Elcom soft which claims to decrypt major 3 encryption software namely BitLocker, TryeCrypt & PGP.So where does that leave us ?Thanks

Use Truecrypt with Full Disk Encryption, no containers or just partitions - ALL of it. Nothing else if you do not know EXACTLY what you are doing.

The problem with system partitions is that temporary data, i.e., part of your data in RAM can be stored on your hard disk. Among other things that can be files you want to protect or even the very keys an encryption software stores there. There are attacks against just this thing.

Folder encryption is generally a bad idea as there is again the issue with temporary data, also ANY trace of the before unencrypted data has to be wiped, not just 'deleted'. That includes any copies made to and from that encrypted folder during your normal work.

Further, only partially encrypted disks can be tampered with easily, think trojan horse, rootkit etc. and the presumably secure data thus copied and later decrypted when you type in the password.

Full disk encryption for data at rest it thus the only allowed method in any sensible security policy, company or government or whatever.

Ohh, sneaker-net, rarely thought one employed such things anymore with the abundance in bandwidth. But yeah. FDE is probably the only way to go for that. As for the software, any such software usually have are either bogus, or have a fine-print that you will find since they rely on memory dumps or similar exploits to attack not the encryption, but safety of the actual encryption keys.

Rübenschwein wrote:Use Truecrypt with Full Disk Encryption, no containers or just partitions - ALL of it. Nothing else if you do not know EXACTLY what you are doing.

The problem with system partitions is that temporary data, i.e., part of your data in RAM can be stored on your hard disk. Among other things that can be files you want to protect or even the very keys an encryption software stores there. There are attacks against just this thing.

Folder encryption is generally a bad idea as there is again the issue with temporary data, also ANY trace of the before unencrypted data has to be wiped, not just 'deleted'. That includes any copies made to and from that encrypted folder during your normal work.

Further, only partially encrypted disks can be tampered with easily, think trojan horse, rootkit etc. and the presumably secure data thus copied and later decrypted when you type in the password.

Full disk encryption for data at rest it thus the only allowed method in any sensible security policy, company or government or whatever.

Cheers

You sold me on that.

But due to limited knowledge, I have some may be stupid questions.

This hard disk is being sent overseas to someone else who has a totally different system with totally different configuration.

So, how would a fully encrypted hard disk boot on that system ?

From my previous experience with two different machines, I never was able to boot a hard disk of one machine on a second machine. If I wanted to do that, I had to delete ( Format ) the system partition & reinstall windows on the second machine in order to boot Windows & access other partitions.

Also a software named " Exlade Cryptic Disk " claims to simultaneously use more than one algorithms for extra security.

What's the primary intent here? To send the data, to send a bootable system drive, or both? Moving Windows boot drives between systems with different hardware is potentially problematic (device driver issues), and also a potential EULA violation (depending on the circumstances). At the very least, it'll require re-activation within 3 days, otherwise the system will cripple itself. Re-activating will also potentially require a phone call to MS tech support (since automatic re-activation is likely to fail).

The years just pass like trains. I wave, but they don't slow down.-- Steven Wilson

If it is sensitive data that you need to send what is the point of sending a HDD?

I am a big believer on hardware always-on encryption. But then I am no expert on it, but from what i have read, there is nothing much safer, and easier to use than hardware level encryption.

If it is a few files and you don't want to fall into the wrong hands, you can try a Ironkey. I have been using it and been a happy camper. If not, then you can try hardware encrypted drives. If you are looking for peace of mind, and ease of use, I think this is the best way to go, IMO.

This hard disk is being sent overseas to someone else who has a totally different system with totally different configuration.

Ok, so there is no need for any system partition at all. You just want to send "data" in a format that can be used by the receiving party with as little effort as possible. Then instead of fully encrypting the entire disk, i would recommend the use of a truecrypt container for the data. All the receiving party has to do then is to have truecrypt installed and mount said container with the correct password. I recommend reading up a bit on those containers.

Just make sure to wipe the rest of the disk after creating the containers, assuming the data is already on that hard disk. If there never was any sensitive data on the disk to be sent beforehand you are fine, just creating the container on it and fill it with your data.

Also a software named " Exlade Cryptic Disk " claims to simultaneously use more than one algorithms for extra security.

Not familiar with it, but it sounds a lot like snake oil and/or marketing talk. Truecrypt makes near perfect use of well established security functions and also comes with very good standard settings for the common user. For that very reason it is so widely used.

Reading back on what I wrote, I realize to sound a bit like Truecrypt is the only possible solution. There are lots of equivalents in a way, commercial or free. It's just that it's free, duh, open source, has been widely scrutinized and is really easy to use. In the end, all you have to get right is to choose a secure password, i.e., at least 12 characters of a 'word' not in any dictionary.

Really appreciate all the suggestions & let me give more details of the purpose & what I am trying to achieve.

First it is only the data that I need to send & some of it is very sensitive & some very little but together they are intertwined & thus must all be protected. Amount of data is part of a research project collected over a long period of time with exhausting work, almost 12 to 14 Hours a day over a 6 year period & hence over 400 GB.

I have posted the Exlade video link where they mention that you can use more than one algorithms in random order & kind of impressed me but I am no expert & would love your comments if you do get few minutes to watch it at your convenience.

Also would like your comments on encrypting an encrypted container with a different password & whether it would work or may compromise the whole thing.

Ease of use & being able to retrieve the data at the other end is very important too.

Also a software named " Exlade Cryptic Disk " claims to simultaneously use more than one algorithms for extra security.

Not familiar with it, but it sounds a lot like snake oil and/or marketing talk.

It's talking about nesting encryption algorithms, which isn't uncommon. For instance, Truecrypt can create a container which will first encrypt the container with AES, then Twofish, and finally Serpent. It's like a database claiming to let people store and read data.

@dan99tSomething else you could do is encrypt the files using GnuPG (http://gnupg.org/ or http://www.gpg4win.org/). The files could also be housed inside a Truecrypt container. GnuPG would require exchanging keys with the receiving party, but you wouldn't have to figure out how to exchange the password, and, optionally, the key file.

I don't have any experience with Bitlocker, but Truecrypt is very portable. All you need is a password and, optionally, a key file to decrypt the partition or container.

Is this a best effort to keep unauthorized people for seeing the data, like for HIPPA or FIPS, or is this seriously hardcore state secrets type stuff?

Also my bigger concern is protecting data with the kind of encryption method that can't be cracked.

Just portability.

Technically, most encryption can be cracked. It's just a matter of how much effort is required to crack it, what the weak link is, and when the data is going to be obsolete. For instance, if you're trying to decrypt a message between two people about what they are going to do tomorrow and it will take you two weeks to decrypt the message, it's not really worth the effort. You could just follow them, and find out what they are going to do.

You really need to define who you're trying to keep the data away from. A Nation/State is different then a some random person.

Asymmetric encryption is one of the more secure forms of encryption. The assumes the recipient has secured his private key, and there isn't a third party that has obtained a copy of it.

Defense in depth is the best option. GnuPG encrypt the Truecrypt container, or Truecrypt container/partition which houses GnuPG encrypted files.

dan99t wrote:When you open Fully encrypted disk OR a Partition that is encrypted, is data now decrypted and act just like regular non encrypted data ?

Also if I copy some data from encrypted partion to another HDD or removable media, is that data in decrypted form & act like regular data ?

Also how vulnerable is the disk that was encypted but you opened it to work on it ?

Yes and yes to your first two question. If the door is open, the door is open. The data is decrypted when the data is decrypted, and it's only safe when encrypted and the machine is off.

If you want to get into serious paranoia about the data, the machine it's on needs to be air gapped from any and all networks, and it only needs to be turned on when access to the data is needed. All non-essential ports need to be physically disabled, and by physically disabled, I mean filled with superglue or epoxy, and physical access is secured by multiple layers of security.

just brew it! wrote:Yup what you really want to do here is get an external hard drive, and copy the data to that in encrypted form. Don't send the OS system drive!

I have extra internal HDD. Any advantage of getting external ?

Less chance of the drive getting damaged in shipping or re-installation in the system of the person you're shipping it to. You could also get just an enclosure and install the existing drive in it, effectively turning it into an external.

dan99t wrote:Also my bigger concern is protecting data with the kind of encryption method that can't be cracked.

Well, *any* encryption can be cracked eventually, given enough resources. What sort of potential "bad guys" are you worried about here? Just run-of-the-mill information thieves? Or something bigger (e.g.government agencies with supercomputers and a staff of encryption experts at their disposal)? Any of the widely used current encryption tools, when used with a strong password, should give you adequate protection against the first type of threat. If you're dealing with the second type of threat, you've probably got bigger things to worry about than which encryption software you used...

The years just pass like trains. I wave, but they don't slow down.-- Steven Wilson

just brew it! wrote:Yup what you really want to do here is get an external hard drive, and copy the data to that in encrypted form. Don't send the OS system drive!

I have extra internal HDD. Any advantage of getting external ?

Less chance of the drive getting damaged in shipping or re-installation in the system of the person you're shipping it to. You could also get just an enclosure and install the existing drive in it, effectively turning it into an external.

dan99t wrote:Also my bigger concern is protecting data with the kind of encryption method that can't be cracked.

Well, *any* encryption can be cracked eventually, given enough resources. What sort of potential "bad guys" are you worried about here? Just run-of-the-mill information thieves? Or something bigger (e.g.government agencies with supercomputers and a staff of encryption experts at their disposal)? Any of the widely used current encryption tools, when used with a strong password, should give you adequate protection against the first type of threat. If you're dealing with the second type of threat, you've probably got bigger things to worry about than which encryption software you used...

Which by the way, if you are a secret agent, your secret is safe with us. I have always wanted to be part and fall into the webs of espionage. Nerd fantasy.

just brew it! wrote:Yup what you really want to do here is get an external hard drive, and copy the data to that in encrypted form. Don't send the OS system drive!

I have extra internal HDD. Any advantage of getting external ?

Less chance of the drive getting damaged in shipping or re-installation in the system of the person you're shipping it to. You could also get just an enclosure and install the existing drive in it, effectively turning it into an external.

dan99t wrote:Also my bigger concern is protecting data with the kind of encryption method that can't be cracked.

Well, *any* encryption can be cracked eventually, given enough resources. What sort of potential "bad guys" are you worried about here? Just run-of-the-mill information thieves? Or something bigger (e.g.government agencies with supercomputers and a staff of encryption experts at their disposal)? Any of the widely used current encryption tools, when used with a strong password, should give you adequate protection against the first type of threat. If you're dealing with the second type of threat, you've probably got bigger things to worry about than which encryption software you used...

I am pretty sure that my secrets are safe with you guys, otherwise I wouldn't be here.

Do you think that I would be posting on this type of venue if I was up against the second kind of threat ?

There are a bunch of ways to encrypt data. FDE(full disk encryption) is the most common if you are doing it on system drives. For secondary drives either FDE or a truecrypt container should work well enough. If you have single file or a small number of files, you can also use something like Axcrypt, which is similar to truecrypt except it only encrypt single files, and don't require any drivers since you can easily create self-decrypting files that only need to be supplied with the chosen key. Pretty similar to a zip-achieve using AES, except Axcrypt have a couple of way's to slow down brute-force attempts.

The thing is that to be totally sure, you should get a new drive, create a container/encryption on it, then add the data to that container. Otherwise if you create a container on a driver where the data resides, you need to be sure to run software that will overwrite the sectors where the sensitive data has resided, otherwise somebody would be able to run a recovery software and do a raw recovery of the sectors and possibly mine a good bunch of the data. And I'm not kidding, some forensics software is pretty darn good now days. Even the home-use software can recover files can easily recover any fragments that haven't been overwritten. The problem with home use is that most of those software's rely on finding enough of the file system to make good sense of the data, while more professional forensic software might go for the data itself, depending on what you are looking for.

The biggest part with encryption today isn't the brute-force hacking for the most part. The biggest obstacle are key-management. First selection on keys can be tricky. Will you use a pass-phrase, then it will need to fall outside of pre-computed tables, which means phrases aren't that secure unless they are also fudged a bit. Then once you have a good key, how do you remember it, do you store it somewhere, password program, etc. Or you can go the other way of using PKI, but that requires a whole lot more know how and infrastructure to manage it properly, not to mention securing the private key. When used properly, this is very secure. The problem again is key management and exchanging keys.

And that's also what you come down to when it comes to a lot of vulnerabilities on full disk encryption. You rarely attack the encryption itself, but attack the key management. That means doing memory dumps taking advantage of DMA access through firewire/displayport/buses/etc. or finding other ways to get the keys. Memory retention in the RAM can also be prolonged by cooling the ram and reading it out on another computer if you have physical access but the computer was just turned off.

And if you really want to be esoteric, not even an air gap from networks or glued ports are enough since you deal with electric circuits that will radiate a bit and will let information traverse air. Search for tempest and van Eck phreaking if you are more interested in the subject. There's a reason many government facilities that deal with really sensitive stuff requires radio-isolated environments that is essentially a faraday cage that will hinder electromagnetic radiation from traversing the boundary of the room.